More little misc patches.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Index: refpolicy-2.20210203/policy/modules/admin/acct.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
+++ refpolicy-2.20210203/policy/modules/admin/acct.te
@@ -57,6 +57,7 @@ init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
+logging_search_logs(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
@@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
+allow bootloader_t self:netlink_selinux_socket connected_socket_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
@@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
kernel_getattr_core_if(bootloader_t)
+kernel_read_crypto_sysctls(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
@@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t
mount_rw_runtime_files(bootloader_t)
+selinux_get_enforce_mode(bootloader_t)
selinux_getattr_fs(bootloader_t)
+selinux_search_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_config(bootloader_t)
seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20210203/policy/modules/admin/brctl.te
@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
# Local policy
#
-allow brctl_t self:capability net_admin;
+allow brctl_t self:capability { net_admin sys_module };
allow brctl_t self:fifo_file rw_fifo_file_perms;
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
@@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
+libs_exec_lib_files(logrotate_t)
+
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
@@ -1,3 +1,4 @@
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/cdrskin -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210203/policy/modules/apps/games.te
@@ -92,7 +92,9 @@ optional_policy(`
allow games_t self:fifo_file rw_fifo_file_perms;
allow games_t self:sem create_sem_perms;
allow games_t self:tcp_socket { accept listen };
+allow games_t self:process getsched;
+manage_dirs_pattern(games_t, games_data_t, games_data_t)
manage_files_pattern(games_t, games_data_t, games_data_t)
manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
@@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+allow games_t games_tmp_t:file map;
+
files_tmp_filetrans(games_t, games_tmp_t, { file dir })
manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
@@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
corenet_sendrecv_generic_client_packets(games_t)
corenet_tcp_connect_generic_port(games_t)
+corenet_udp_bind_generic_node(games_t)
+
dev_read_sound(games_t)
dev_read_input(games_t)
dev_read_mouse(games_t)
@@ -136,13 +142,16 @@ dev_rw_dri(games_t)
dev_write_sound(games_t)
files_list_var(games_t)
+files_search_mnt(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
+files_map_usr_files(games_t)
files_read_etc_files(games_t)
files_read_usr_files(games_t)
files_read_var_files(games_t)
fs_dontaudit_getattr_xattr_fs(games_t)
+fs_search_nfs(games_t)
init_dontaudit_rw_utmp(games_t)
@@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
userdom_manage_user_tmp_files(games_t)
userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
+userdom_use_user_ptys(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)
tunable_policy(`allow_execmem',`
@@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
optional_policy(`
alsa_read_config(games_t)
+ alsa_read_home_files(games_t)
')
optional_policy(`
Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20210203/policy/modules/apps/gpg.te
@@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
allow sysadm_t self:capability audit_write;
allow sysadm_t self:system status;
+kernel_request_load_module(sysadm_t)
+
corecmd_exec_shell(sysadm_t)
corenet_ib_access_unlabeled_pkeys(sysadm_t)
@@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_admin(sysadm_t)
+init_rw_stream_sockets(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
@@ -29,6 +29,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
vlock_run(user_t, user_r)
')
@@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- ssh_role_template(user, user_r, user_t)
- ')
-
- optional_policy(`
su_role_template(user, user_r, user_t)
')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210203/policy/modules/system/authlogin.te
@@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
+term_use_ptmx(utempter_t)
+
userdom_use_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
@@ -406,6 +408,7 @@ optional_policy(`
optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
+ xserver_write_inherited_xsession_log(utempter_t)
')
#######################################
Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+#######################################
+## <summary>
+## getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Manage systemd unit dirs and the files in them
Index: refpolicy-2.20210203/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
@@ -244,7 +244,6 @@ ifdef(`init_systemd',`
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
- allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
@@ -262,7 +261,7 @@ ifdef(`init_systemd',`
# setexec and setkeycreate for systemd --user
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
- allow init_t self:capability2 { audit_read block_suspend };
+ allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
@@ -428,6 +427,7 @@ ifdef(`init_systemd',`
miscfiles_watch_localization(init_t)
mount_watch_runtime_dirs(init_t)
+ mount_watch_runtime_files_reads(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210203/policy/modules/system/logging.te
@@ -510,6 +510,7 @@ seutil_read_config(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_runtime_root(syslogd_t)
ifdef(`init_systemd',`
# for systemd-journal
@@ -549,6 +550,8 @@ ifdef(`init_systemd',`
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
+ userdom_list_user_tmp(syslogd_t)
+ userdom_read_user_tmp_symlinks(syslogd_t)
')
ifdef(`distro_gentoo',`
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210203/policy/modules/system/lvm.te
@@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
fs_getattr_all_fs(clvmd_t)
+fs_getattr_pstore_dirs(lvm_t)
fs_search_auto_mountpoints(clvmd_t)
+fs_search_cgroup_dirs(lvm_t)
fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t)
fs_rw_anon_inodefs_files(clvmd_t)
+fs_search_bpf(lvm_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
storage_manage_fixed_disk(clvmd_t)
@@ -167,7 +170,6 @@ optional_policy(`
allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
-# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
@@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t)
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
+storage_getattr_removable_dev(lvm_t)
+
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
# LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
Index: refpolicy-2.20210203/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210203/policy/modules/system/modutils.te
@@ -34,6 +34,7 @@ ifdef(`init_systemd',`
#
allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:lockdown confidentiality;
allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
# for the radeon/amdgpu modules
dontaudit kmod_t self:capability sys_admin;
Index: refpolicy-2.20210203/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210203/policy/modules/system/mount.te
@@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
+fs_getattr_binfmt_misc_fs(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_tmpfs(mount_t)
fs_getattr_rpc_pipefs(mount_t)
fs_getattr_cifs(mount_t)
fs_getattr_nfs(mount_t)
fs_mount_all_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
Index: refpolicy-2.20210203/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210203/policy/modules/system/raid.te
@@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
files_dontaudit_getattr_all_files(mdadm_t)
+files_search_tmp(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_getattr_pstorefs(restorecond_t)
+logging_watch_generic_logs_dir(restorecond_t)
+
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_etc_dirs(restorecond_t)
+files_watch_runtime_dirs(restorecond_t)
auth_use_nsswitch(restorecond_t)
logging_send_syslog_msg(restorecond_t)
@@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_getattr_proc(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
allow setfiles_t file_context_t:file map;
+kernel_read_kernel_sysctls(setfiles_t)
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210203/policy/modules/system/udev.te
@@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:capability2 { wake_alarm block_suspend };
+allow udev_t self:lockdown confidentiality;
allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+allow udev_t udev_runtime_t:dir watch;
manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
@@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_var_lib_symlinks(udev_t)
files_mmap_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
@@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+fs_search_tmpfs(udev_t)
fs_search_tracefs(udev_t)
mcs_ptrace_all(udev_t)
@@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
+# for /run/console-setup
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
+
init_read_utmp(udev_t)
init_domtrans_script(udev_t)
# systemd-udevd searches /run/systemd
@@ -260,9 +268,6 @@ ifdef(`init_systemd',`
optional_policy(`
init_dbus_chat(udev_t)
')
-',`
- fs_manage_tmpfs_dirs(udev_t)
- fs_manage_tmpfs_files(udev_t)
')
optional_policy(`
Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210203/policy/modules/system/unconfined.te
@@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
+mount_watch_runtime_files_reads(unconfined_t)
seutil_run_setfiles(unconfined_t, unconfined_r)
seutil_run_semanage(unconfined_t, unconfined_r)
